|
|
- 2017
一种基于参数污点分析的软件行为模型
|
Abstract:
摘要 基于细粒度二进制动态分析平台,提出通过系统调用参数的污点分析构建软件行为模型的方法。该方法主要在指令级别监控应用程序运行,跟踪系统调用参数的污点传播获取参数与参数、局部变量和外部数据之间的关联关系,进而抽取出参数的污点传播链。其次,基于参数污点传播链和系统调用序列构造能够同时反映控制流和数据流特性的软件动态行为模型。最后,分析和验证该模型具备检测隐秘的非控制流数据攻击的能力。
| [1] | Tandon G, Chan P K. On the learning of system call attributes for host-based anomaly detection[J]. International Journal on Artificial Intelligence Tools, 2006, 15(6):875-892. |
| [2] | Kruegel C, Mutz D, Valeur F, et al. On the detection of anomalous system call arguments//Snekkenes E, Gollmann D. Computer Security-Esorics 2003, Proceedings.Berlin:Springer-Verlag Berlin, 2003:326-343. |
| [3] | Bhatkar S, Chaturvedi A, Sekar R, et al. Dataflow anomaly detection//2006 IEEE Symposium on Security and Privacy, Proceedings.Los Alamitos:Ieee Computer Soc, 2006:48-62. |
| [4] | Chen K, Feng D, Su P, et al. Black-box testing based on colorful taint analysis[J]. Science China Information Sciences, 2012, 55(1):171-183. |
| [5] | Kiezun A, Guo PJ, Jayaraman K, et al. Automatic creation of SQL injection and cross-site scripting attacks//200931st International Conference on Software Engineering, Proceedings.New York:Ieee, 2009:199-209. |
| [6] | Vogt P, Nentwich F, Jovanovic N, et al. Cross site scripting prevention with dynamic data tainting and static analysis//NDSS. 2007:12. |
| [7] | Yin H, Song D, Egele M, et al. Panorama:capturing system-wide information flow for malware detection and analysis//Proceedings of the 14th ACM conference on Computer and communications security.Alexandria, Virginia, USA:ACM, 2007:116-127. |
| [8] | Song D, Brumley D, Yin H, et al. Information systems security:4th International Conference, ICISS 2008, Hyderabad, India, December 16-20, 2008 Proceedings[M]. Berlin, Heidelberg:Springer Berlin Heidelberg, 2008:1-25. |
| [9] | Sekar R, Bendre M, Dhurjati D, et al. A fast automaton-based method for detecting anomalous program behaviors//2001 Ieee Symposium on Security and Privacy, Proceedings.Los Alamitos:Ieee Computer Soc, 2001:144-155. |
| [10] | Chen S, Xu J, Sezer E C, et al. Non-control-data attacks are realistic threats//USENIX Association Proceedings of the 14th USENIX Security Symposium.Berkeley:Usenix Assoc, 2005:177-191. |
| [11] | Hu H, Shinde S, Adrian S, et al. Data-oriented programming:on the expressiveness of non-control data attacks//2016 IEEE Symposium on Security and Privacy (SP).San Jose, USA:2016:969-986. |
| [12] | Delamore B, Ko R K L. A global, empirical analysis of the shellshock vulnerability in web applications//Trustcom/BigDataSE/ISPA, 2015 IEEE. 2015:1129-1135. |
| [13] | Zalewski M. SSH1 CRC-32 compensation attack detector vulnerability. (2001). http://www.securityfocus.com/advisories/3088. |
| [14] | Ma J X, Zhang P H, Dong G W, et al. TWalker:an efficient taint analysis tool//201410th International Conference on Information Assurance and Security.New York:Ieee, 2014:18-22. |
| [15] | Haller I, Slowinska A, Neugschwandtner M, et al. Dowsing for overflows:a guided fuzzer to find buffer boundary violations//22nd USENIX Security Symposium (USENIX Security 13). 2013:49-64. |
| [16] | Kong J, Zou CC, Zhou H. Improving software security via runtime instruction-level taint checking//Proceedings of the 1st workshop on Architectural and system support for improving software dependability. ACM, 2006:18-24. |
| [17] | Qin F, Wang C, Li Z, et al. LIFT:a low-overhead practical information flow tracking system for detecting security attacks//200639th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO'06). 2006:135-148. |
| [18] | Halfond W G J, Orso A, Manolios P. Using positive tainting and syntax-aware evaluation to counter SQL injection attacks//Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering.Portland, Oregon, USA:ACM, 2006:175-185. |
| [19] | Oyama Y, Yonezawa A. Prevention of code-injection attacks by encrypting system call arguments. University of Tokyo, 2006. https://www.researchgate.net/profile/Akinori_Yonezawa2/publication/228576079_Prevention_of_code-injection_attacks_by_encrypting_system_call_arguments/links/53eaf9ee0cf2fb1b9b6ad0fd.pdf. |
| [20] | Sufatrio, Yap R H C. Improving host-based IDS with argument abstraction to prevent mimicry attacks//Valdes A, Zamboni D. Recent Advances in Intrusion Detection.Berlin:Springer-Verlag Berlin, 2006:146-164. |
| [21] | Demay J C, Totel E, Tronel F. SIDAN:a tool dedicated to software instrumentation for detecting attacks on non-control-data//Risks and Security of Internet and Systems (CRiSIS), 2009 Fourth International Conference on. IEEE, 2009:51-58. |
| [22] | Li P, Park H, Gao D, et al. Bridging the gap between data-flow and control-flow analysis for anomaly detection//24th Annual Computer Security Applications Conference, Proceedings.Los Alamitos:Ieee Computer Soc, 2008:392-401. |
| [23] | Clause J, Li W, Orso A. Dytan:a generic dynamic taint analysis framework//Proceedings of the 2007 international symposium on Software testing and analysis. ACM, 2007:196-206. |
| [24] | Newsome J, Song D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software//Proceedings of NDSS' 05.San Diego, California, USA:2005. |
